Late to the party; thought I would drop this here for others:
Dynamic Groups would work if you had an attribute that would denote which users should or should not have permission.
".memberof" was just added to Dynamic Groups about 6 months ago, however the '-notin' operator is not supported (you cannot enable Password Reset for all users, not a member of group 'X').
You would instead need to use some user level attribute to exclude users from the dynamic group.
Very sloppy. The actual solution is to allow for an exclusion group within the Password Reset control - similar to conditional access policies etc.
One possible solution would be to use Conditional Access Policies to prevent a group of users from "Register security information" under User actions. This may prevent self-service password reset as registration is required. Conditional Access Policies correctly allow for groups to be either included or excluded.
The more I think about it, the more I suspect this is another ploy to push customers to E5.
